The Transactions of the Korea Information Processing Society (한국정보처리학회논문지)

Korea Information Processing Society (한국정보처리학회)
권호 표지

Anomaly Detection based on Clustering User's Behaviors

사용자 행위 클러스터링을 활용한 비정상 행위 탐지

  • Oh, Sang-Hyun (Dept.of Computer Science, Graduate School of Yonsei University) ;
  • Lee, Won-Suk (Dept.of Computer Science, Yonsei University)
  • 오상현 (연세대학교 대학원 컴퓨터과학과) ;
  • 이원석 (연세대학교 컴퓨터과학과)
  • Published : 2000.08.01
Download PDF
⟨ Previous Next ⟩

Abstract

Far detecting variaus camputer intrusians effectively, many researches have develaped the misuse based intrusian detectian systems. Recently, warks related ta anamaly detectian, which have impraved the drawback .of misuse detectian technique, have been under focus. In this paper, a new clustering algarithm based an support constraint far generating user's narmal activity patterns in the anamaly detectian can praposed. It can grant a user's activity .observed recently ta mare weight than that .observed in the past. In order that a user's anamaly can be analyzed in variaus angles, a user's activity is classified by many measures, and far each .of them user's narmal patterns can be generated. by using the proposed algarithm. As a result, using generated narmal patterns, user's anamaly can be detected easily and effectively.

컴퓨터를 통한 침입을 효과적으로 탐지하기 위해서 많은 연구들이 오용탐지 기법을 개발하였다. 최근에는 오용 탐지 기법을 개선하기 위해서 비정상행위 탐지 기법에 관련된 연구들이 진행중이다. 이 논문에서는 비정상행위 탐지에서 사용자의 정상행위 패턴을 생성하기 위해 지지율에 기반한 새로운 클러스터링 알고리즘을 제시한다. 제시된 알고리즘에서는 사용자의 과거행위보다 최근행위에 보다 많은 비중을 두는 방법을 적용하였다. 한편, 사용자의 행위를 다양한 각도에서 분석될 수 있도록 사용자의 행위를 여러 판정요소로 분류하고 각 판정요소에 제시된 알고리즘을 이용하여 사용자의 정상행위 패턴을 생성한다. 결과적으로 사용자의 비정상행위가 효과적으로 탐지될 수 있다.

Keywords

References

  1. Sandeep Kumar, Classification and Detection of Computer Intrusions. Ph.D. Dissertation, August 1995
  2. Harold S. Javitz and Alfonso Valdes, 'The NIDES Statistical Component Description and Justification,' Annual report, SRI International, 333 Ravenwood Avenue, Menlo Park, CA 94025, March 1994
  3. Phillip A. Porras and Peter G. Neumann, 'EMERALD : Event Monitoring Enabling Responses to Anomalous Live Disturbances,' 20th NISSC, October 1997
  4. Jai Sundar Balesubramaniyan, Jose Omar Garcia-Fernandes, David Isacoff, Eugene Spafford, Diego Zamboni, 'An Architecture for Intrusion Detection using Autonomous Agents,' Technical Report 98-05, COAST Laboratory, Purdue University, West Lafayette, IN 47907-1398, May 1998
  5. W. Lee and S. Stolfo, 'Data Mining Approaches for Intrusion Detection,' In Proc. of the 7th USENIX Security Symposium, San Antonio, Texas, January 26-29, 1998
  6. W. Lee, S. J. Stolfo and P. K. Chan, 'Learning Patterns from Unix Process Execution Traces for Intrusion Detection,' Proc. AAAI-97 Work. on AI Methods in Fraud and Risk Management, 1997
  7. S. J. Stolfo, A. L. Prodromidis, S. Tselepis, W. Lee, D. Fan, P.K. Chan, 'JAM : Java agents for Meta-Learning over Distributed Databases,' Proc. KDD-97 and AAAI97 Work. on AI Methods in Fraud and Risk Management, 1997
  8. B. Mukherjee, T. L. Heberlein, and K. N. Kevitt, 'Network intrusion Detection,' IEEE Network, 8(3) : 26-41, May/June 1994 https://doi.org/10.1109/65.283931
  9. R. Heady, G. Luger, A. Maccabe, and M. Servilla, 'The Architecture of a Network Level Intrusion Detection System,' Technical Report, Computer Science Department, University of New Mexico, August 1990
  10. K. Illgun, R. Kemmerer, Phillip A. Porras, 'State Transition Analysis : A rule-based intrusion detection approach,' IEEE Transaction on Software Engineering pp.181-199, March. 1995 https://doi.org/10.1109/32.372146
  11. K. Illgun, 'USTAT : A Real-Time Intrusion Detection System for UNIX,' in Proc. Of the 1993 Symposium Security and Privacy, pp.16-28, May 24-26, 1993 https://doi.org/10.1109/RISP.1993.287646
  12. T. D. Garvey and Teresa F. Lunt, 'Model based intrusion detection,' In Proc. Of the 14th National Computer Security Conference, pp.372-385, October 1991
  13. H. S. Javitz, A. Valdes, 'The SRI IDES Statistical Anomaly Detector,' In Proc. of the 1991 IEEE Symposium on Research in Security and Privacy, May 1991
  14. Jai Sundar Balesubramaniyan, Jose Omar Garcia-Fernandes, David Isacoff, Engene Spafford, Diego Zamboni. An Architecture for Intrusion Detection using Autonomous Agents. Technical Report 98-05, COAST Laboratory, Purdue University, West Lafayette, IN 47907-1398, May 1998
  15. Martin Ester, Hans-Peter Kriegel, Sander, Michael Wimmer, Xiaowei Xu, 'Incremental Clustering for Mining in a Data Warehousing Environment,' Proceedings of the 24th VLDB Conference, New York, USA, 1998
  16. Sudipto Guha, Rajeev Rastogi and Kyuseok Shim, 'ROCK : A Clustering Algorithm for Categorical Attributes,' the 15th International Conference on IEEE Data Engineering, Sydney, Australia, 1999
  17. Sudipto Guha, Rajeev Rastogi and Kyuseok Shim, 'CURE : An Efficient Clustering Algorithm for Large Databases,' ACM SIGMOD International Conference on Management of Data, Seattle, Washington, 1998 https://doi.org/10.1145/276304.276312
  18. Tian Zhang, Raghu Ramakrishnan, and Miron Livny, 'Birch : An Efficient data clustering method for very large databases,' Proceedings for the ACM SIGMOD Conference on Management of Data, Montreal, Canada, June 1996 https://doi.org/10.1145/233269.233324
  19. R. Agrawal, R. Srikant : 'Fast Algorithms for Mining Association Rules,' Proc. of the 20th Int'l Conference on Very Large Databases, Santiago, Chile, Sept. 1994
  20. R. Agrawal, R. Srikant : 'Mining Sequential Patterns,' Proc. of the Int'l Conference on Data Engineering (ICDE), Taipei, Taiwan, March 1995
  21. Sun Microsystems. SunShield Basic Security Module Guide